Upon adding a new device to the system, this rule kicks in and verifies that the major and minor numbers match '/dev/random,' which is loaded at the system start and serves as a random number generator for many applications and system functions. The malware's script, "asedexpb," is executed by the final rule component (RUN+= "asedexpb run:+"). The attackers make sure the malware is run repeatedly by making /dev/random a precondition.

Most notably, security solutions do not keep an eye on /dev/random, a crucial Linux system component. Therefore, abusing it ensures that the infection avoids detection. The malware mimics a genuine system process by naming its process "kdevtmpfs," which further blends in with regular activity and makes it more difficult to identify using traditional approaches.

In terms of how it operates, the malware creates a reverse shell that allows the attacker to remotely access the compromised device using pipes or forkpty. To conceal the existence of any file containing the string "sedexp" from common programs like "ls" or "find," sedexp additionally uses memory manipulation techniques. It can also change the behavior of already-installed applications and system processes, or modify memory contents to insert malicious code.

The malware has been in use in the wild since at least 2022, according to the researchers. They discovered it to be undetected in numerous internet sandboxes (of the three sedexp samples in the paper, only two antivirus engines label it as dangerous on VirusTotal). The malware is involved in financially motivated attacks since it has been used to conceal credit card scraping code on compromised web servers.

Impact

• Financial Loss
• Unauthorized Access
• Code Execution
• Security Bypass

Indicators of Compromise

MD5

• 9482d7b91ae2c431e8e584cee62ac3e5
• 6b65b22b414e748f3845393274392dad
• b0dab95a7771a37b206ea4da3095b9cf

SHA-256

• 43f72f4cdab8ed40b2f913be4a55b17e7fd8a7946a636adb4452f685c1ffea02
• 94ef35124a5ce923818d01b2d47b872abd5840c4f4f2178f50f918855e0e5ca2
• b981948d51e344972d920722385f2370caf1e4fac0781d508bc1f088f477b648

SHA-1

• e8530cf5652d35148b2fa6f963387d8f21c2ee52
• dc34d9ad71dc0ab768b611bdaa2bd922227cff54
• e824f6af7bd8d80a861a346676cb06d8f9818b77

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Identify and isolate compromised systems or hosts that are confirmed to be affected by the malware. Disconnect them from the network to prevent further communication with command-and-control servers.
• Regularly update and patch software and systems to mitigate vulnerabilities.
• Conduct regular security audits and penetration testing to identify and address weaknesses.
• Review and reset user account passwords, especially those with elevated privileges, to prevent unauthorized access. Disable or remove any compromised accounts.
• Ensure secure storage of backups and sensitive information with access restricted to authorized personnel only.
• Implement strict access controls and the principle of least privilege (PoLP) to restrict user and system access rights. This reduces the attack surface.
• Continuously monitor command-and-control (C2) traffic patterns and communications to identify anomalies and block malicious C2 activity.
• Train employees and staff on cybersecurity best practices and how to recognize phishing attempts and social engineering tactics.
• Develop a robust incident response plan that outlines steps to take in the event of a breach. This should include procedures for containment, investigation, and notification of affected parties.